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NEW QUESTION 1 
- (Topic 1) 
Which of the following pairings uses technology to enforce access control policies? 


A. Preventive/Administrative 
B. Preventive/Technical 

C. Preventive/Physical 

D. Detective/Administrative 


Answer: B 


Explanation: 

The preventive/technical pairing uses technology to enforce access control policies. 

TECHNICAL CONTROLS 

Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and 
software, and related devices. Technical controls are sometimes referred to as logical controls. 

Preventive Technical Controls 

Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources. Examples of these 
controls include: 

Access control software. Antivirus software. Library control systems. Passwords. 

Smart cards. Encryption. 

Dial-up access control and callback systems. 

Preventive Physical Controls 

Preventive physical controls are employed to prevent unauthorized personnel from entering computing facilities (i.e., locations housing computing resources, 
supporting utilities, computer hard copy, and input data media) and to help protect against natural disasters. Examples of these controls include: 

Backup files and documentation. Fences. 

Security guards. Badge systems. Double door systems. Locks and keys. Backup power. 

Biometric access controls. Site selection. 

Fire extinguishers. 

Preventive Administrative Controls 

Preventive administrative controls are personnel-oriented techniques for controlling people??s behavior to ensure the confidentiality, integrity, and availability of 
computing data and programs. Examples of preventive administrative controls include: 

Security awareness and technical training. Separation of duties. 

Procedures for recruiting and terminating employees. Security policies and procedures. 

Supervision. 

Disaster recovery, contingency, and emergency plans. User registration for computer access. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the 

Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34. 


NEW QUESTION 2 
- (Topic 1) 
Controlling access to information systems and associated networks is necessary for the preservation of their: 


A. Authenticity, confidentiality and availability 

B. Confidentiality, integrity, and availability. 

C. integrity and availability. 

D. authenticity,confidentiality, integrity and availability. 


Answer: B 


Explanation: 
Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity and availability. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31. 


NEW QUESTION 3 

- (Topic 1) 

Physical security is accomplished through proper facility construction, fire and water 

protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is not a 
component that achieves this type of security? 


A. Administrative control mechanisms 
B. Integrity control mechanisms 

C. Technical control mechanisms 

D. Physical control mechanisms 


Answer: B 


Explanation: 

Integrity Controls Mechanisms are not part of physical security. All of the other detractors were correct this one was the wrong one that does not belong to 
Physical Security. Below you have more details extracted from the SearchSecurity web site: Information security depends on the security and management of the 
physical space in which computer systems operate. Domain 9 of the CISSP exam's Common Body of Knowledge addresses the challenges of securing the 
physical space, its systems and the people who work within it by use of administrative, technical and physical controls. The following QUESTION NO: s are 
covered: 

Facilities management: The administrative processes that govern the maintenance and protection of the physical operations space, from site selection through 
emergency response. 

Risks, issues and protection strategies: Risk identification and the selection of security protection components. 

Perimeter security: Typical physical protection controls. 

Facilities management 

Facilities management is a complex component of corporate security that ranges from the planning of a secure physical site to the management of the physical 
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information system environment. Facilities management responsibilities include site selection and physical security planning (i.e. facility construction, design and 
layout, fire and water damage protection, antitheft mechanisms, intrusion detection and security procedures.) Protections must extend to both people and assets. 
The necessary level of protection depends on the value of the assets and data. CISSP® candidates must learn the concept of critical-path analysis as a means of 
determining a component's business function criticality relative to the cost of operation and replacement. Furthermore, students need to gain an understanding of 
the optimal location and physical attributes of a secure facility. Among the QUESTION NO: s covered in this domain are site inspection, location, accessibility and 
obscurity, considering the area crime rate, and the likelihood of natural hazards such as floods or earthquakes. 

This domain also covers the quality of construction material, such as its protective qualities and load capabilities, as well as how to lay out the structure to minimize 
risk of forcible entry and accidental damage. Regulatory compliance is also touched on, as is preferred proximity to civil protection services, such as fire and police 
stations. Attention is given to computer and equipment rooms, including their location, configuration (entrance/egress requirements) and their proximity to wiring 
distribution centers at the site. 

Physical risks, issues and protection strategies 

An overview of physical security risks includes risk of theft, service interruption, physical damage, compromised system integrity and unauthorized disclosure of 
information. Interruptions to business can manifest due to loss of power, services, telecommunications connectivity and water supply. These can also seriously 
compromise electronic security monitoring alarm/response devices. Backup options are also covered in this domain, as is a strategy for quantifying the risk 
exposure by simple formula. 

Investment in preventive security can be costly. Appropriate redundancy of people skills, systems and infrastructure must be based on the criticality of the data and 
assets to be preserved. Therefore a strategy is presented that helps determine the selection of cost appropriate controls. Among the QUESTION NO: s covered in 
this domain are regulatory and legal requirements, common standard security protections such as locks and fences, and the importance of establishing service 
level agreements for maintenance and disaster support. Rounding out the optimization approach are simple calculations for determining mean time between failure 
and mean time to repair (used to estimate average equipment life expectancy) ?? essential for estimating the cost/benefit of purchasing and maintaining redundant 
equipment. 

As the lifeblood of computer systems, special attention is placed on adequacy, quality and protection of power supplies. CISSP candidates need to understand 
power supply concepts and terminology, including those for quality (i.e. transient noise vs. clean power); types of interference (EMI and RFI); and types of 
interruptions such as power excess by spikes and surges, power loss by fault or blackout, and power degradation from sags and brownouts. A simple formula is 
presented for determining the total cost per hour for backup power. Proving power reliability through testing is recommended and the advantages of three power 
protection approaches are discussed (standby UPS, power line conditioners and backup sources) including minimum requirements for primary and alternate power 
provided. 

Environmental controls are explored in this domain, including the value of positive pressure water drains and climate monitoring devices used to control 
temperature, humidity and reduce static electricity. Optimal temperatures and humidity settings are provided. 

Recommendations include strict procedures during emergencies, preventing typical risks (such as blocked fans), and the use of antistatic armbands and 
hygrometers. Positive pressurization for proper ventilation and monitoring for air born contaminants is stressed. 

The pros and cons of several detection response systems are deeply explored in this domain. The concept of combustion, the classes of fire and fire extinguisher 
ratings are detailed. Mechanisms behind smoke-activated, heat-activated and flame-activated devices and Automatic Dial-up alarms are covered, along with their 
advantages, costs and shortcomings. Types of fire sources are distinguished and the effectiveness of fire suppression methods for each is included. For instance, 
Halon and its approved replacements are covered, as are the advantages and the inherent risks to equipment of the use of water sprinklers. 

Administrative controls 

The physical security domain also deals with administrative controls applied to physical sites and assets. The need for skilled personnel, knowledge sharing 
between them, separation of duties, and appropriate oversight in the care and maintenance of equipment and environments is stressed. A list of management 
duties including hiring checks, employee maintenance activities and recommended termination procedures is offered. Emergency measures include accountability 
for evacuation and system shutdown procedures, integration with disaster and business continuity plans, assuring documented procedures are easily available 
during different types of emergencies, the scheduling of periodic equipment testing, administrative reviews of documentation, procedures and recovery plans, 
responsibilities delegation, and personnel training and drills. 

Perimeter security 

Domain nine also covers the devices and techniques used to control access to a space. These include access control devices, surveillance monitoring, intrusion 
detection and corrective actions. Specifications are provided for optimal external boundary protection, including fence heights and placement, and lighting 
placement and types. Selection of door types and lock characteristics are covered. Surveillance methods and intrusion-detection methods are explained, including 
the use of video monitoring, guards, dogs, proximity detection systems, photoelectric/ohotometric systems, wave pattern devices, passive infrared systems, and 
sound and motion detectors, and current flow sensitivity devices that specifically address computer theft. Room lock types ?? both preset and cipher locks (and 
their variations) -- device locks, such as portable laptop locks, lockable server bays, switch control locks and slot locks, port controls, peripheral switch controls and 
cable trap locks are also covered. Personal access control methods used to identify authorized users for site entry are covered at length, noting social engineering 
risks such as piggybacking. Wireless proximity devices, both user access and system sensing readers are covered (i.e. transponder based, passive devices and 
field powered devices) in this domain. 

Now that you've been introduced to the key concepts of Domain 9, watch the Domain 9, Physical Security video 

Return to the CISSP Essentials Security School main page 

See all SearchSecurity.com's resources on CISSP certification training Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- 
Hill/Osborne, 2001, Page 280. 


NEW QUESTION 4 
- (Topic 1) 
What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values? 


A. Mandatory model 
B. Discretionary model 
C. Lattice model 

D. Rule model 


Answer: C 


Explanation: 

In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34. 


NEW QUESTION 5 
- (Topic 1) 
To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up: 


A. Access Rules 

B. Access Matrix 

C. Identification controls 
D. Access terminal 
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Answer: A 


Explanation: 

Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules. 
These rules can be classified into three access control models: Mandatory, Discretionary, and Non-Discretionary. 

An access matrix is one of the means used to implement access control. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 6 

- (Topic 1) 

Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that 
maps naturally to an organization's structure? 


A. Access control lists 

B. Discretionary access control 
C. Role-based access control 

D. Non-mandatory access control 


Answer: C 


Explanation: 

Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to 
an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An 
access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, 
administration is decentralized and owners of resources control other users' access. Non-mandatory access control is not a defined access control technique. 
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 9). 


NEW QUESTION 7 
- (Topic 1) 
In the Bell-LaPadula model, the Star-property is also called: 


A. The simple security property 
B. The confidentiality property 
C. The confinement property 
D. The tranquility property 


Answer: B 


Explanation: 

The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the 
protection of data integrity. 

In this formal model, the entities in an information system are divided into subjects and objects. 

The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby proving 
that the system satisfies the security objectives of the model. 

The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is 
defined by transition functions. 

A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. 

To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the 
combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. 

The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access 
control (DAC) rule with three security properties: 

The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up). 

The property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The property is also 
known as the Confinement property. 

The Discretionary Security Property - use an access control matrix to specify the discretionary access control. 

The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell-LaPadula model via the concept of trusted 
subjects. Trusted Subjects are not restricted by the property. Untrusted subjects are. 

Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by 
the phrase: "no read up, no write down." Compare the Biba model, the Clark-Wilson model and the Chinese Wall. 

With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not 
create public files; no write-down). Conversely, users can view content only at or below their own security level 

(i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up). 

Strong Property 

The Strong Property is an alternative to the Property in which subjects may write to objects with only a matching security level. Thus, the write-up operation 
permitted in the usual Property is not present, only a write-to-same level operation. The Strong Property is usually discussed in the context of multilevel database 
management systems and is motivated by integrity concerns. 

Tranquility principle 

The tranquility principle of the Bell-LaPadula model states that the classification of a subject or object does not change while it is being referenced. There are two 
forms to the tranquility principle: the "principle of strong tranquility" states that security levels do not change during the normal operation of the system and the 
"principle of weak tranquility" states that security levels do not change in a way that violates the rules of a given security policy. 

Another interpretation of the tranquility principles is that they both apply only to the period of time during which an operation involving an object or subject is 
occurring. That is, the strong tranquility principle means that an object's security level/label will not change during an operation (such as read or write); the weak 
tranquility principle means that an object's security level/label may change in a way that does not violate the security policy during an operation. 

Reference(s) used for this question: http://en.wikipedia.org/wiki/Biba_Model 

http://en.wikipedia.org/wiki/Mandatory_access_control http://en.wikipedia.org/wiki/Discretionary_access_control http://en.wikipedia.org/wiki/Clark-Wilson_model 
http://en.wikipedia.org/wiki/Brewer_and_Nash_model 


NEW QUESTION 8 
- (Topic 1) 
Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines? 
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A. TACACS 
B. Call-back 
C. CHAP 

D. RADIUS 


Answer: B 


Explanation: 

Call-back allows for a distant user connecting into a system to be called back at a number already listed in a database of trusted users. The disadvantage of this 
system is that the user must be at a fixed location whose phone number is known to the authentication server. Being mobile workers, users are accessing the 
system from multiple 

locations, making call-back inappropriate for them. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 44). 


NEW QUESTION 9 
- (Topic 1) 
What is the most critical characteristic of a biometric identifying system? 


A. Perceived intrusiveness 
B. Storage requirements 
C. Accuracy 

D. Scalability 


Answer: C 


Explanation: 

Accuracy is the most critical characteristic of a biometric identifying verification system. 

Accuracy is measured in terms of false rejection rate (FRR, or type | errors) and false acceptance rate (FAR or type II errors). 

The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy. 
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric 
Identification (page 9). 


NEW QUESTION 10 
- (Topic 1) 
In biometrics, the "one-to-one" search used to verify claim to an identity made by a person is considered: 


A. Authentication 
B. Identification 
C. Auditing 

D. Authorization 


Answer: A 


Explanation: 

Biometric devices can be use for either IDENTIFICATION or AUTHENTICATION 

ONE TO ONE is for AUTHENTICATION 

This means that you as a user would provide some biometric credential such as your fingerprint. Then they will compare the template that you have provided with 
the one stored in the Database. If the two are exactly the same that prove that you are who you pretend to be. 

ONE TO MANY is for IDENTIFICATION 

A good example of this would be within airport. Many airports today have facial recognition cameras, as you walk through the airport it will take a picture of your 
face and then compare the template (your face) with a database full of templates and see if there is a match between your template and the ones stored in the 
Database. This is for IDENTIFICATION of a person. 

Some additional clarification or comments that might be helpful are: Biometrics establish authentication using specific information and comparing results to 
expected data. It does not perform well for identification purposes such as scanning for a person's face in a moving crowd for example. 

Identification methods could include: username, user ID, account number, PIN, certificate, token, smart card, biometric device or badge. 

Auditing is a process of logging or tracking what was done after the identity and authentication process is completed. 

Authorization is the rights the subject is given and is performed after the identity is established. 

Reference OIG (2007) p148, 167 

Authentication in biometrics is a "one-to-one" search to verify claim to an identity made by 

a person. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38. 


NEW QUESTION 10 
- (Topic 1) 
Controls to keep password sniffing attacks from compromising computer systems include which of the following? 


A. static and recurring passwords. 
B. encryption and recurring passwords. 
C. one-time passwords and encryption. 
D. static and one-time passwords. 


Answer: C 


Explanation: 

To minimize the chance of passwords being captured one-time passwords would prevent a password sniffing attack because once used it is no longer valid. 
Encryption will also minimize these types of attacks. 

The following answers are correct: 

static and recurring passwords. This is incorrect because if there is no encryption then someone password sniffing would be able to capture the password much 
easier if it never changed. 
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encryption and recurring passwords. This is incorrect because while encryption helps, recurring passwords do nothing to minimize the risk of passwords being 
captured. 

static and one-time passwords. This is incorrect because while one-time passwords will prevent these types of attacks, static passwords do nothing to minimize the 
risk of passwords being captured. 


NEW QUESTION 12 
- (Topic 1) 
Which of the following is NOT a system-sensing wireless proximity card? 


A. magnetically striped card 
B. passive device 

C. field-powered device 

D. transponder 


Answer: A 


Explanation: 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 342. 


NEW QUESTION 15 
- (Topic 1) 
Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure? 


A. The Take-Grant model 

B. The Biba integrity model 

C. The Clark Wilson integrity model 
D. The Bell-LaPadula integrity model 


Answer: C 


Explanation: 

The Clark Wilson integrity model addresses the three following integrity goals: 1) data is protected from modification by unauthorized users; 2) data is protected 
from unauthorized modification by authorized users; and 3) data is internally and externally consistent. It also defines a Constrained Data Item (CDI), an Integrity 
Verification Procedure (IVP), a Transformation Procedure (TP) and an Unconstrained Data item. The Bell-LaPadula and Take-Grant models are not integrity 
models. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architecture and Models (page 205). 


NEW QUESTION 16 
- (Topic 1) 
A network-based vulnerability assessment is a type of test also referred to as: 


A. An active vulnerability assessment. 

B. A routing vulnerability assessment. 

C. A host-based vulnerability assessment. 
D. A passive vulnerability assessment. 


Answer: A 


Explanation: 

A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets 
to infer weaknesses from their responses. 

Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability assessment systems are also called active vulnerability 
systems. 

There are mostly two main types of test: 

PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your 
target. 

ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services 
runnings, port state, and more. 

See example below of both types of attacks: 

Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, 
message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to 
detect and stop them. 

Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually 
doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack. 
IMPORTANT NOTE: 

On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms 
but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason below: 

"lam a system security analyst. It is my daily duty to perform system vulnerability analysis. We use Nessus and Retina (among other tools) to perform our network 
based vulnerability scanning. Both commercially available tools refer to a network based vulnerability scan as a "credentialed" scan. Without credentials, the scan 
tool cannot login to the system being scanned, and as such will only receive a port scan to see what ports are open and exploitable" 

Reference(s) used for this question: 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw- Hill. Kindle Edition. 

and 

DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 97). 


NEW QUESTION 21 
- (Topic 1) 
Which of the following access control models is based on sensitivity labels? 
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A. Discretionary access control 
B. Mandatory access control 
C. Rule-based access control 
D. Role-based access control 


Answer: B 


Explanation: 

Access decisions are made based on the clearance of the subject and the sensitivity label of the object. 

Example: Eve has a "Secret" security clearance and is able to access the "Mugwump Missile Design Profile" because its sensitivity label is "Secret." She is denied 
access to the "Presidential Toilet Tissue Formula" because its sensitivity label is "Top Secret." 

The other answers are not correct because: 

Discretionary Access Control is incorrect because in DAC access to data is determined by the data owner. For example, Joe owns the "Secret Chili Recipe" and 
grants read access to Charles. 

Role Based Access Control is incorrect because in RBAC access decsions are made based on the role held by the user. For example, Jane has the role "Auditor" 
and that role includes read permission on the "System Audit Log.” 

Rule Based Access Control is incorrect because it is a form of MAC. A good example would be a Firewall where rules are defined and apply to anyone connecting 
through the firewall. 

References: 

Allin One third edition, page 164. Official ISC2 Guide page 187. 


NEW QUESTION 24 

- (Topic 1) 

Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these 
types of controls is correct? 


A. Examples of these types of controls include policies and procedures, securityawareness training, background checks, work habit checks but do not include a 
review of vacation history, and also do not include increased supervision. 

B. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols. 

C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. 

D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation 
history, and increased supervision. 


Answer: C 


Explanation: 

Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, 
smart cards, access lists, and transmission protocols. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 26 
- (Topic 1) 
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? 


A. Using a TACACS+ server. 

B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. 
C. Setting modem ring count to at least 5. 

D. Only attaching modems to non-networked hosts. 


Answer: B 


Explanation: 

Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the 
firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet. 

The use of a TACACS+ Server by itself cannot eliminate hacking. 

Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers. 

Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked. 

Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers. 


NEW QUESTION 30 
- (Topic 1) 
What does the Clark-Wilson security model focus on? 


A. Confidentiality 
B. Integrity 

C. Accountability 
D. Availability 


Answer: B 


Explanation: 

The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory 
integrity policy. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architectures and Models (page 205). 


NEW QUESTION 33 
- (Topic 1) 
Which of the following security models does NOT concern itself with the flow of data? 
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A. The information flow model 
B. The Biba model 

C. The Bell-LaPadula model 
D. The noninterference model 


Answer: D 


Explanation: 

The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can 
see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a 
noninterference model minimizes leakages that might happen through a covert channel. 

The Bell-LaPadula model is incorrect. The Bell-LaPadula model is concerned with confidentiality and bases access control decsions on the classfication of objects 
and the clearences of subjects. 

The information flow model is incorrect. The information flow models have a similar framework to the Bell-LaPadula model and control how information may flow 
between objects based on security classes. 

The Biba model is incorrect. The Biba model is concerned with integrity and is a complement to the Bell-LaPadula model in that higher levels of integrity are more 
trusted than lower levels. Access control us based on these integrity levels to assure that read/write operations do not decrease an object's integrity. 

References: 

CBK, pp 325 - 326 

AIO3, pp. 290 - 291 


NEW QUESTION 35 

- (Topic 1) 

Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System TACACS for communication between 
clients and servers? 


A. TCP 
B. SSL 
C. UDP 
D. SSH 


Answer: C 


Explanation: 

The original TACACS, developed in the early ARPANet days, had very limited functionality and used the UDP transport. In the early 1990s, the protocol was 
extended to include additional functionality and the transport changed to TCP. 

TACAGS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query 
to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49. It would 
determine whether to accept or deny the authentication request and send a response back. 

TACACS+ 

TACACS+ and RADIUS have generally replaced TACACS and XTACAGS in more recently built or updated networks. TACACS+ is an entirely new protocol and is 
not compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). 
Since TCP is connection oriented 

protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, 
timeout etc. since it rides on UDP which is connectionless. 

RADIUS encrypts only the users’ password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, 
accounting are transmitted in clear text. Therefore it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and 
therefore does not have the vulnerabilities present in the RADIUS protocol. 

RADIUS and TACACS + are client/ server protocols, which means the server portion cannot send unsolicited commands to the client portion. The server portion 
can only speak when spoken to. Diameter is a peer-based protocol that allows either end to initiate communication. This functionality allows the Diameter server to 
send a message to the access server to request the user to provide another authentication credential if she is attempting to access a secure resource. 
Reference(s) used for this question: http://en.wikipedia.org/wiki/TACACS 

and 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 239). McGraw- Hill. Kindle Edition. 


NEW QUESTION 39 
- (Topic 1) 
Single Sign-on (SSO) is characterized by which of the following advantages? 


A. Convenience 

B. Convenience and centralized administration 

C. Convenience and centralized data administration 

D. Convenience and centralized network administration 


Answer: B 


Explanation: 

Convenience -Using single sign-on users have to type their passwords only once when they first log in to access all the network resources; and Centralized 
Administration as some single sign-on systems are built around a unified server administration system. This allows a single administrator to add and delete 
accounts across the entire network from one user interface. 

The following answers are incorrect: 

Convenience - alone this is not the correct answer. 

Centralized Data or Network Administration - these are thrown in to mislead the student. Neither are a benefit to SSO, as these specifically should not be allowed 
with just an SSO. 

References: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, page 35. 

TIPTON, Harold F. & HENRY, Kevin, Official (ISC)2 Guide to the CISSP CBK, 2007, page 180. 


NEW QUESTION 41 
- (Topic 1) 
What is the PRIMARY use of a password? 
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A. Allow access to files. 

B. Identify the user. 

C. Authenticate the user. 

D. Segregate various user's accesses. 


Answer: C 


Explanation: 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 46 
- (Topic 1) 
Which of the following is used by RADIUS for communication between clients and servers? 


A. TCP 
B. SSL 
C. UDP 
D. SSH 


Answer: C 


Explanation: 
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 33. 


NEW QUESTION 48 
- (Topic 1) 
Which security model is based on the military classification of data and people with clearances? 


A. Brewer-Nash model 
B. Clark-Wilson model 
C. Bell-LaPadula model 
D. Biba model 


Answer: C 


Explanation: 

The Bell-LaPadula model is a confidentiality model for information security based on the military classification of data, on people with clearances and data with a 
classification or sensitivity model. The Biba, Clark-Wilson and Brewer-Nash models are concerned with integrity. 

Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002. 


NEW QUESTION 50 
- (Topic 1) 
Which of the following is the most reliable authentication method for remote access? 


A. Variable callback system 

B. Synchronous token 

C. Fixed callback system 

D. Combination of callback and caller ID 


Answer: B 


Explanation: 

A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if 
not entered in the acceptable time frame. 

The following answers are incorrect: 

Variable callback system. Although variable callback systems are more flexible than fixed callback systems, the system assumes the identity of the individual 
unless two-factor authentication is also implemented. By itself, this method might allow an attacker access as a trusted user. 

Fixed callback system. Authentication provides assurance that someone or something is who or what he/it is supposed to be. Callback systems authenticate a 
person, but anyone can pretend to be that person. They are tied to a specific place and phone number, which can be spoofed by implementing call-forwarding. 
Combination of callback and Caller ID. The caller ID and callback functionality provides greater confidence and auditability of the caller's identity. By disconnecting 
and calling back only authorized phone numbers, the system has a greater confidence in the location of the call. However, unless combined with strong 
authentication, any individual at the location could obtain access. 

The following reference(s) were/was used to create this question: Shon Harris AIO v3 p. 140, 548 

ISC2 OIG 2007 p. 152-153, 126-127 


NEW QUESTION 55 
- (Topic 1) 
What is the main objective of proper separation of duties? 


A. To prevent employees from disclosing sensitive information. 
B. To ensure access controls are in place. 

C. To ensure that no single individual can compromise a system. 
D. To ensure that audit trails are not tampered with. 

Answer: C 


Explanation: 
The primary objective of proper separation of duties is to ensure that one person acting alone cannot compromise the company's security in any way. A proper 
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separation of duties does not prevent employees from disclosing information, nor does it ensure that access controls are in place or that audit trails are not 
tampered with. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw- Hill/Osborne, 2002, Chapter 12: Operations Security (Page 808). 


NEW QUESTION 57 
- (Topic 1) 
Which of the following would constitute the best example of a password to use for access to a system by a network administrator? 


A. holiday 

B. Christmas12 
C. Jenny 

D. GyN19Za! 


Answer: D 


Explanation: 

GyN19Za! would be the the best answer because it contains a mixture of upper and lower case characters, alphabetic and numeric characters, and a special 
character making it less vulnerable to password attacks. 

All of the other answers are incorrect because they are vulnerable to brute force or dictionary attacks. Passwords should not be common words or names. The 
addition of a number to the end of a common word only marginally strengthens it because a common password attack would also check combinations of words: 
Christmas23 Christmas1 23 etc... 


NEW QUESTION 58 
- (Topic 1) 
The end result of implementing the principle of least privilege means which of the following? 


A. Users would get access to only the info for which they have a need to know 
B. Users can access all systems. 

C. Users get new privileges added when they change positions. 

D. Authorization creep. 


Answer: A 


Explanation: 

The principle of least privilege refers to allowing users to have only the access they need and not anything more. Thus, certain users may have no need to access 
any of the files on specific systems. 

The following answers are incorrect: 

Users can access all systems. Although the principle of least privilege limits what access and systems users have authorization to, not all users would have a need 
to know to access all of the systems. The best answer is still Users would get access to only the info for which they have a need to know as some of the users may 
not have a need to access a system. 

Users get new privileges when they change positions. Although true that a user may indeed require new privileges, this is not a given fact and in actuality a user 
may require less privileges for a new position. The principle of least privilege would require that the rights required for the position be closely evaluated and where 
possible rights revoked. 

Authorization creep. Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege 
should actually prevent authorization creep. 

The following reference(s) were/was used to create this question: ISC2 OIG 2007 p.101,123 

Shon Harris AlO v3 p148, 902-903 


NEW QUESTION 59 
- (Topic 1) 
RADIUS incorporates which of the following services? 


A. Authentication server and PIN codes. 

B. Authentication of clients and static passwords generation. 

C. Authentication of clients and dynamic passwords generation. 

D. Authentication server as well as support for Static and Dynamic passwords. 


Answer: D 


Explanation: 

A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to 

designated RADIUS servers, and then acting on the response which is returned. 

RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the 
client to deliver service to the user. 

RADIUS authentication is based on provisions of simple username/password credentials. 

These credentials are encrypted 

by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page 513 

RADIUS incorporates an authentication server and can make uses of both dynamic and static passwords. 

Since it uses the PAP and CHAP protocols, it also incluses static passwords. 

RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared 
Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138. 

The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service. 

The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, 
two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access. 

Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the 
security server. To gain entry into the system, the user must generate both this one-time number and provide his or her user ID and password. 

Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, 
unpredictable authentication requests can protect against a wide range of active attacks. 

RADIUS: Key Features and Benefits Features Benefits 

RADIUS supports dynamic passwords and challenge/response passwords. Improved system security due to the fact that passwords are not static. 

It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms. 
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RADIUS allows the user to have a single user ID and password for all computers in a network. 

Improved usability due to the fact that the user has to remember only one login combination. 

RADIUS is able to: 

Prevent RADIUS users from logging in via login (or ftp). Require them to log in via login (or ftp) 

Require them to login to a specific network access server (NAS); Control access by time of day. 

Provides very granular control over the types of logins allowed, on a per-user basis. The time-out interval for failing over from an unresponsive primary RADIUS 
server toa 

backup RADIUS server is site-configurable. 

RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices. 

Stratus Technology Product Brief http:/Awww.stratus.com/products/vos/openvos/radius.htm 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 
44. 

Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46. 


NEW QUESTION 64 
- (Topic 1) 
Which TCSEC class specifies discretionary protection? 


Answer: D 


Explanation: 
C1 involves discretionary protection, C2 involves controlled access protection, B1 involves labeled security protection and B2 involves structured protection. 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 67 
- (Topic 1) 
For maximum security design, what type of fence is most effective and cost-effective method (Foot are being used as measurement unit below)? 


A. 3' to 4' high 

B. 6' to 7' high 

C. 8' high and above with strands of barbed wire 
D. Double fencing 


Answer: D 


Explanation: 

The most commonly used fence is the chain linked fence and it is the most affordable. The standard is a six-foot high fence with two-inch mesh square openings. 
The material should consist of nine-gauge vinyl or galvanized metal. Nine-gauge is a typical fence material installed in residential areas. 

Additionally, it is recommended to place barbed wire strands angled out from the top of the fence at a 45?? angle and away from the protected area with three 
strands running across the top. This will provide for a seven-foot fence. There are several variations of the use of ??top guards?? using V-shaped barbed wire or 
the use of concertina wire as an enhancement, which has been a replacement for more traditional three strand barbed wire ??top guards.?? 

The fence should be fastened to ridged metal posts set in concrete every six feet with additional bracing at the corners and gate openings. The bottom of the fence 
should be stabilized against intruders crawling under by attaching posts along the bottom to keep the fence from being pushed or pulled up from the bottom. If the 
soil is sandy, the bottom edge of the fence should be installed below ground level. 

For maximum security design, the use of double fencing with rolls of concertina wire positioned between the two fences is the most effective deterrent and cost- 
efficient method. In this design, an intruder is required to use an extensive array of ladders and equipment to breach the fences. 

Most fencing is largely a psychological deterrent and a boundary marker rather than a barrier, because in most cases such fences can be rather easily penetrated 
unless added security measures are taken to enhance the security of the fence. Sensors attached to the fence to provide electronic monitoring of cutting or scaling 
the fence can be used. 

Reference(s) used for this question: 

Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 24416-24431). Auerbach 
Publications. Kindle Edition. 


NEW QUESTION 72 
- (Topic 1) 
In regards to information classification what is the main responsibility of information (data) owner? 


A. determining the data sensitivity or classification level 
B. running regular data backups 

C. audit the data users 

D. periodically check the validity and accuracy of the data 


Answer: A 


Explanation: 

Making the determination to decide what level of classification the information requires is the main responsibility of the data owner. 

The data owner within classification is a person from Management who has been entrusted with a data set that belong to the company. It could be for example the 
Chief Financial Officer (CFO) who has been entrusted with all financial date or it could be the Human Resource Director who has been entrusted with all Human 
Resource data. The information owner will decide what classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality, and 
Sensitivity of the data. 

The Custodian is the technical person who will implement the proper classification on objects in accordance with the Data Owner. The custodian DOES NOT 
decide what classification to apply, it is the Data Owner who will dictate to the Custodian what is the classification to apply. 

NOTE: 

The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it means the person who has created an object. For example, if | create 
a file on my system then | am the owner of the file and | can decide who else could get access to the file. It is left to my discretion. Within DAC access is granted 
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based solely on the Identity of the subject, this is why sometimes DAC is referred to as Identity Based Access Control. 

The other choices were not the best answer 

Running regular backups is the responsibility of custodian. Audit the data users is the responsibility of the auditors 

Periodically check the validity and accuracy of the data is not one of the data owner responsibility 

Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: 
Security Management Practices. 


NEW QUESTION 76 

- (Topic 1) 

In the context of Biometric authentication, what is a quick way to compare the accuracy of devices. In general, the device that have the lowest value would be the 
most accurate. Which of the following would be used to compare accuracy of devices? 


A. the CER is used. 
B. the FRR is used 
C. the FAR is used 
D. the FER is used 


Answer: A 


Explanation: 

equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from 
the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most 
accurate. 

In the context of Biometric Authentication almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If 
the system's sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR). 
Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase. Thus, to have a valid measure of the system performance, the 
CrossOver Error Rate (CER) is used. 

The following are used as performance metrics for biometric systems: 

false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the 
database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching 
score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold 
value. 

false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template 
in the database. It measures the percent of valid inputs which are incorrectly rejected. 

failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality 
inputs. 

failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric input when presented correctly. 

template capacity: the maximum number of sets of data which can be stored in the system. Reference(s) used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten 

Domains of Computer Security, 2001, John Wiley & Sons, Page 37. and 

Wikipedia at: https://en.wikipedia.org/wiki/Biometrics 


NEW QUESTION 77 
- (Topic 1) 
Which of the following control pairing places emphasis on "soft" mechanisms that support the access control objectives? 


A. Preventive/Technical Pairing 

B. Preventive/Administrative Pairing 
C. Preventive/Physical Pairing 

D. Detective/Administrative Pairing 


Answer: B 


Explanation: 

Soft Control is another way of referring to Administrative control. 

Technical and Physical controls are NOT soft control, so any choice listing them was not the best answer. 

Preventative/Technical is incorrect because although access control can be technical control, it is commonly not referred to as a "soft" control 
Preventative/Administrative is correct because access controls are preventative in nature. it is always best to prevent a negative event, however there are times 
where controls might fail and you cannot prevent everything. Administrative controls are roles, responsibilities, 

policies, etc which are usually paper based. In the administrative category you would find audit, monitoring, and security awareness as well. 
Preventative/Physical pairing is incorrect because Access controls with an emphasis on "soft" mechanisms conflict with the basic concept of physical controls, 
physical controls are usually tangible objects such as fences, gates, door locks, sensors, etc... 

Detective/Administrative Pairing is incorrect because access control is a preventative control used to control access, not to detect violations to access. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34. 


NEW QUESTION 82 
- (Topic 1) 
Which of the following is not a security goal for remote access? 


A. Reliable authentication of users and systems 

B. Protection of confidential data 

C. Easy to manage access control to systems and network resources 
D. Automated login for remote users 


Answer: D 
Explanation: 


An automated login function for remote users would imply a weak authentication, thus certainly not a security goal. 
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume 2, 2001, CRC Press, Chapter 5: An Introduction 
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to Secure Remote Access (page 100). 


NEW QUESTION 83 
- (Topic 1) 
What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources? 


A. Micrometrics 

B. Macrometrics 
C. Biometrics 

D. MicroBiometrics 


Answer: C 


Explanation: 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35. 


NEW QUESTION 84 
- (Topic 1) 
Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier? 


A. Dynamic authentication 
B. Continuous authentication 
C. Encrypted authentication 
D. Robust authentication 


Answer: B 


Explanation: 

Continuous authentication is a type of authentication that provides protection against impostors who can see, alter, and insert information passed between the 
claimant and verifier even after the claimant/verifier authentication is complete. These are typically referred to as active attacks, since they assume that the 
imposter can actively influence the connection between claimant and verifier. One way to provide this form of authentication is to apply a digital signature algorithm 
to every bit of data that is sent from the claimant to the verifier. There are other combinations of cryptography that can provide this form of authentication but 
current strategies rely on applying some type of cryptography to every bit 

of data sent. Otherwise, any unprotected bit would be suspect. Robust authentication relies on dynamic authentication data that changes with each authenticated 
session between a claimant and a verifier, but does not provide protection against active attacks. Encrypted authentication is a distracter. 

Source: GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A Technical Guide, Draft Version, May 25, 2000 
(page 34). 


NEW QUESTION 85 
- (Topic 1) 
Which of the following attacks could capture network user passwords? 


A. Data diddling 
B. Sniffing 

C. IP Spoofing 
D. Smurfing 


Answer: B 


Explanation: 

A network sniffer captures a copy every packet that traverses the network segment the sniffer is connect to. 

Sniffers are typically devices that can collect information from a communication medium, such as a network. These devices can range from specialized equipment 
to basic workstations with customized software. 

A sniffer can collect information about most, if not all, attributes of the communication. The most common method of sniffing is to plug a sniffer into an existing 
network device like a hub or switch. A hub (which is designed to relay all traffic passing through it to all of its ports) will automatically begin sending all the traffic on 
that network segment to the sniffing device. On the other hand, a switch (which is designed to limit what traffic gets sent to which port) will have to be specially 
configured to send all traffic to the port where the sniffer is plugged in. 

Another method for sniffing is to use a network tap??a device that literally splits a network transmission into two identical streams; one going to the original network 
destination and the other going to the sniffing device. Each of these methods has its advantages and disadvantages, including cost, feasibility, and the desire to 
maintain the secrecy of the sniffing activity. 

The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the username/password are contained in a packet or packets traversing 
the segment the sniffer is connected to, it will capture and display that information (and any other information on that segment it can see). 

Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is still captured and displayed, but it is in an unreadable 
format. 

The following answers are incorrect: 

Data diddling involves changing data before, as it is enterred into a computer, or after it is extracted. 

Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication - or causing a system to respond to the wrong address. 
Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service. 
The following reference(s) were/was used to create this question: CISA Review manual 2014 Page number 321 

Official ISC2 Guide to the CISSP 3rd edition Page Number 153 


NEW QUESTION 90 
- (Topic 1) 
The Orange Book is founded upon which security policy model? 


A. The Biba Model 

B. The Bell LaPadula Model 
C. Clark-Wilson Model 

D. TEMPEST 


Passing Certification Exams Made Easy visit - https:/www.surepassexam.com 


Ke Exam |§Recommend!! Get the Full SSCP dumps in VCE and PDF From SurePassExam 
[yj Sure Pass https:/AWwww.surepassexam.com/SSCP-exam-dumps.html (1074 New Questions) 


Answer: B 


Explanation: 

From the glossary of Computer Security Basics: 

The Bell-LaPadula model is the security policy model on which the Orange Book requirements are based. From the Orange Book definition, "A formal state 
transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into 
abstract sets of subjects and objects. The notion of secure state is defined and it is proven that each state transition preserves security by moving from secure 
state to secure state; thus, inductively proving the system is secure. A system state is defined to be 'secure' if the only permitted access modes of subjects to 
objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is 
compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode." 

The Biba Model is an integrity model of computer security policy that describes a set of rules. In this model, a subject may not depend on any object or other 
subject that is less trusted than itself. 

The Clark Wilson Model is an integrity model for computer security policy designed for a commercial environment. It addresses such concepts as nondiscretionary 
access control, privilege separation, and least privilege. TEMPEST is a government program that prevents the compromising electrical and electromagnetic signals 
that emanate from computers and related equipment from being intercepted and deciphered. 

Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991. 

Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here). 


NEW QUESTION 95 
- (Topic 1) 
How would nonrepudiation be best classified as? 


A. A preventive control 

B. A logical control 

C. A corrective control 

D. A compensating control 


Answer: A 


Explanation: 

Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the 
mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control. 

Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of 
Standards and Technology, December 2001, page 7. 


NEW QUESTION 98 

- (Topic 1) 

Which of the following Operation Security controls is intended to prevent unauthorized intruders from internally or externally accessing the system, and to lower the 
amount and impact of unintentional errors that are entering the system? 


A. Detective Controls 

B. Preventative Controls 
C. Corrective Controls 
D. Directive Controls 


Answer: B 


Explanation: 

In the Operations Security domain, Preventative Controls are designed to prevent unauthorized intruders from internally or externally accessing the system, and to 
lower the amount and impact of unintentional errors that are entering the system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: 
Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 217. 


NEW QUESTION 99 
- (Topic 1) 
A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: 


A. Mandatory Access Control 

B. Discretionary Access Control 

C. Non-Discretionary Access Control 
D. Rule-based Access control 


Answer: C 


Explanation: 

A central authority determines what subjects can have access to certain objects based on the organizational security policy. 

The key focal point of this question is the 'central authority’ that determines access rights. Cecilia one of the quiz user has sent me feedback informing me that 
NIST defines MAC as: 

"MAC Policy means that Access Control Policy Decisions are made by a CENTRAL 

AUTHORITY. Which seems to indicate there could be two good answers to this question. 

However if you read the NISTR document mentioned in the references below, it is also mentioned that: MAC is the most mentioned NDAC policy. So MAC is a 
form of NDAC policy. 

Within the same document it is also mentioned: "In general, all access control policies other than DAC are grouped in the category of non- discretionary access 
control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish 
controls that cannot be changed by users, but only through administrative action." 

Under NDAC you have two choices: 

Rule Based Access control and Role Base Access Control 

MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC. It is a subset of NDAC. 

This question is representative of what you can expect on the real exam where you have more than once choice that seems to be right. However, you have to look 
closely if one of the choices would be higher level or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because MAC is 
falling under NDAC through the use of Rule Based Access Control. 
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The following are incorrect answers: MANDATORY ACCESS CONTROL 

In Mandatory Access Control the labels of the object and the clearance of the subject 

determines access rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the label to the object, the system does 
the determination of access rights automatically by comparing the Object label with the Subject clearance. The subject clearance MUST dominate (be equal or 
higher) than the object being accessed. 

The need for a MAC mechanism arises when the security policy of a system dictates that: 

1. Protection decisions must not be decided by the object owner. 

2. The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner). 

Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the 
Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the ??simple security rule,?? or ??no read up.?? 

Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the 
2??*-property?? (pronounced 

??star property??) or ??no write down.?? The *-property is required to maintain system security in an automated environment. 

DISCRETIONARY ACCESS CONTROL 

In Discretionary Access Control the rights are determined by many different entities, each of the persons who have created files and they are the owner of that file, 
not one central authority. 

DAC leaves a certain amount of access control to the discretion of the object's owner or anyone else who is authorized to control the object's access. For example, 
it is generally used to limit a user's access to a file; it is the owner of the file who controls other users' accesses to the file. Only those users specified by the owner 
may have some combination of read, write, execute, and other permissions to the file. 

DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons: 
First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann??s file to an 
object that Bob controls. Bob may now grant any other user access to the copy of Ann??s file without Ann??s knowledge. 

Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for 
Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann??s files. When investigating the problem, the audit 
files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows: 

Discretionary Access Control (DAC) Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a 
system. 

No restrictions apply to the usage of information when the user has received it. 

The privileges for accessing objects are decided by the owner of the object, rather than through a system-wide policy that reflects the organization? ?s security 
requirements. 

ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies. Other mechanisms, even 
though not designed with DAC in mind, may have the capabilities to implement a DAC policy. 

RULE BASED ACCESS CONTROL 

In Rule-based Access Control a central authority could in fact determine what subjects can 

have access when assigning the rules for access. However, the rules actually determine the access and so this is not the most correct answer. 

RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules. It is 
important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC. 
??Rule-based access?? is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control 
encompasses a broad range of systems. RUBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every access 
request and compares the rules with the rights of the user to make an access decision. Most of the rule-based access control relies on a security label system, 
which dynamically composes a set of rules defined by a security policy. Security labels are attached to all objects, including files, directories, and devices. 
Sometime roles to subjects (based on their attributes) are assigned as well. RUBAC meets the business needs as well as the technical needs of controlling service 
access. It allows business rules to be applied to access control??for example, customers who have overdue balances may be denied service access. As a 
mechanism for MAC, rules of RUBAC cannot be changed by users. The rules can be established by any attributes of a system related to the users such as 
domain, host, protocol, network, or IP addresses. For example, suppose that a user wants to access an object in another network on the other side of a router. The 
router employs RuBAC with the rule composed by the network addresses, domain, and protocol to decide whether or not the user can be granted access. If 
employees change their roles within the organization, their existing authentication credentials remain in effect and do not need to be re configured. Using rules in 
conjunction with roles adds greater flexibility because rules can be applied to people as well as to devices. Rule-based access control can be combined with role- 
based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based policy 
engines in addition to a role-based policy engine and certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of 
software users are product engineers and quality engineers. Both groups usually have access to the same data, but they have different roles to perform in relation 
to the data and the application's function. In addition, individuals within each group have different job responsibilities that may be identified using several types of 
attributes such as developing programs and testing areas. Thus, the access decisions can be made in real time by a scripted policy that regulates the access 
between the groups of product engineers and quality engineers, and each individual within these groups. Rules can either replace or complement role-based 
access control. However, the creation of rules and security policies is also a complex process, so each organization will need to strike the appropriate balance. 
References used for this question: http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf and 

AlO v3 p162-167 and OIG (2007) p.186-191 

also 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 100 

- (Topic 1) 

This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered 
suspicious? 


A. Checkpoint level 
B. Ceiling level 

C. Clipping level 

D. Threshold level 


Answer: C 


Explanation: 

Organizations usually forgive a particular type, number, or pattern of violations, thus permitting a predetermined number of user errors before gathering this data 
for analysis. An organization attempting to track all violations, without sophisticated statistical computing ability, would be unable to manage the sheer quantity of 
such data. To make a violation listing effective, a clipping level must be established. 

The clipping level establishes a baseline for violation activities that may be normal user errors. Only after this baseline is exceeded is a violation record produced. 
This solution is particularly effective for small- to medium-sized installations. Organizations with large-scale computing facilities often track all violations and use 
statistical routines to cull out the minor infractions (e.g., forgetting a password or mistyping it several times). 

If the number of violations being tracked becomes unmanageable, the first step in correcting the problems should be to analyze why the condition has occurred. 
Do users understand how they are to interact with the computer resource? Are the rules too difficult to follow? Violation tracking and analysis can be valuable tools 
in assisting an organization to develop thorough but useable controls. Once these are in place and records are produced that accurately reflect serious violations, 
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tracking and analysis become the first line of defense. With this procedure, intrusions are discovered before major damage occurs and sometimes early enough to 
catch the perpetrator. In addition, business protection and preservation are strengthened. 

The following answers are incorrect: 

All of the other choices presented were simply detractors. The following reference(s) were used for this question: 

Handbook of Information Security Management 


NEW QUESTION 103 
- (Topic 1) 
Who developed one of the first mathematical models of a multilevel-security computer system? 


A. Diffie and Hellman. 
B. Clark and Wilson. 

C. Bell and LaPadula. 
D. Gasser and Lipner. 


Answer: C 


Explanation: 

In 1973 Bell and LaPadula created the first mathematical model of a multi- level security system. 

The following answers are incorrect: 

Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with cryptography. 

Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The Clark-Wilson model came later, 1987. 
Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first model. 


NEW QUESTION 105 
- (Topic 1) 
Who first described the DoD multilevel military security policy in abstract, formal terms? 


A. David Bell and Leonard LaPadula 
B. Rivest, Shamir and Adleman 

C. Whitfield Diffie and Martin Hellman 
D. David Clark and David Wilson 


Answer: A 


Explanation: 

It was David Bell and Leonard LaPadula who, in 1973, first described the DoD multilevel military security policy in abstract, formal terms. The Bell-LaPadula is a 
Mandatory Access Control (MAC) model concerned with confidentiality. Rivest, Shamir and Adleman (RSA) developed the RSA encryption algorithm. Whitfield 
Diffie and Martin Hellman published the Diffie-Hellman key agreement algorithm in 1976. David Clark and David Wilson developed the Clark-Wilson integrity 
model, more appropriate for security in commercial activities. 

Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (pages 78,109). 


NEW QUESTION 106 
- (Topic 1) 
Which of the following is true about Kerberos? 


A. It utilizes public key cryptography. 

B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. 
C. It depends upon symmetric ciphers. 

D. It is a second party authentication system. 


Answer: C 


Explanation: 

Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. 
It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys. 

The following answers are incorrect: 

It utilizes public key cryptography. Is incorrect because Kerberos depends on secret keys 

(symmetric ciphers). 

It encrypts data after a ticket is granted, but passwords are exchanged in plain text. Is incorrect because the passwords are not exchanged but used for encryption 
and decryption of the keys. 

It is a second party authentication system. Is incorrect because Kerberos is a third party authentication system, you authenticate to the third party (Kerberos) and 
not the system you are accessing. 

References: 

MIT http://web.mit.edu/kerberos/ 

Wikipedi http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 

OIG CBK Access Control (pages 181 - 184) AlOv3 Access Control (pages 151 - 155) 


NEW QUESTION 109 

- (Topic 1) 

Which type of control is concerned with avoiding occurrences of risks? 
A. Deterrent controls 

B. Detective controls 

C. Preventive controls 

D. Compensating controls 


Answer: C 
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Explanation: 

Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls 
identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of 
compensating control. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 


NEW QUESTION 113 
- (Topic 1) 
Which of the following would be true about Static password tokens? 


A. The owner identity is authenticated by the token 

B. The owner will never be authenticated by the token. 

C. The owner will authenticate himself to the system. 

D. The token does not authenticates the token owner but the system. 


Answer: A 


Explanation: 

Password Tokens 

Tokens are electronic devices or cards that supply a user's password for them. A token system can be used to supply either a static or a dynamic password. There 
is a big difference between the static and dynamic systems, a static system will normally log a user in but a dynamic system the user will often have to log 
themselves in. 

Static Password Tokens: 

The owner identity is authenticated by the token. This is done by the person who issues the token to the owner (normally the employer). The owner of the token is 
now authenticated by "something you have". The token authenticates the identity of the owner to the information system. An example of this occurring is when an 
employee swipes his or her smart card over an electronic lock to gain access to a store room. 

Synchronous Dynamic Password Tokens: 

This system is a lot more complex then the static token password. The synchronous dynamic password tokens generate new passwords at certain time intervals 
that are synched with the main system. The password is generated on a small device similar to a pager or a calculator that can often be attached to the user's key 
ring. Each password is only valid for a certain time period, typing in the wrong password in the wrong time period will invalidate the authentication. The time factor 
can also be the systems downfall. If a clock on the system or the password token device becomes out of synch, a user can have troubles authenticating 
themselves to the system. 

Asynchronous Dynamic Password Tokens: 

The clock synching problem is eliminated with asynchronous dynamic password tokens. This system works on the same principal as the synchronous one but it 
does not have a time frame. A lot of big companies use this system especially for employee's who may work from home on the companies VPN (Virtual private 
Network). 

Challenge Response Tokens: 

This is an interesting system. A user will be sent special "challenge" strings at either random or timed intervals. The user inputs this challenge string into their token 
device and the device will respond by generating a challenge response. The user then types this response into the system and if it is correct they are 
authenticated. 

Reference(s) used for this question: http:/Awww.informit.com/guides/content.aspx?g=security&seqNum=1 46 

and 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37. 


NEW QUESTION 118 
- (Topic 1) 
Why should batch files and scripts be stored in a protected area? 


A. Because of the least privilege concept. 
B. Because they cannot be accessed by operators. 
C. Because they may contain credentials. 
D. Because of the need-to-know concept. 


Answer: C 


Explanation: 

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully. Operators might need 
access to batch files and scripts. The least privilege concept requires that each subject in a system be granted the most restrictive set of privileges needed for the 
performance of authorized tasks. The need-to-know principle requires a user having necessity for access to, knowledge of, or possession of specific information 
required to perform official tasks or services. 

Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 3) 


NEW QUESTION 120 
- (Topic 1) 
What is called a sequence of characters that is usually longer than the allotted number for a password? 


A. passphrase 

B. cognitive phrase 
C. anticipated phrase 
D. Real phrase 


Answer: A 
Explanation: 


A passphrase is a sequence of characters that is usually longer than the allotted number for a password. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, page 37. 


NEW QUESTION 125 
- (Topic 1) 
Which of the following is not a logical control when implementing logical access security? 
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A. access profiles. 

B. userids. 

C. employee badges. 
D. passwords. 


Answer: C 


Explanation: 

Employee badges are considered Physical so would not be a logical control. The following answers are incorrect: 

userids. Is incorrect because userids are a type of logical control. 

access profiles. Is incorrect because access profiles are a type of logical control. passwords. Is incorrect because passwords are a type of logical control. 


NEW QUESTION 126 

- (Topic 1) 

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access 
than what is required for the tasks the user needs to fulfill. What best describes this scenario? 


A. Excessive Rights 

B. Excessive Access 

C. Excessive Permissions 
D. Excessive Privileges 


Answer: D 


Explanation: 

Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented. 
Reference(s) used for this question: 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645. 

and 


NEW QUESTION 127 
- (Topic 1) 
What does the simple integrity axiom mean in the Biba model? 


A. No write down 
B. No read down 
C. No read up 
D. No write up 


Answer: B 


Explanation: 

The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity 
(no read down). 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architectures and Models (page 205). 


NEW QUESTION 132 
- (Topic 1) 
Which of the following is NOT a compensating measure for access violations? 


A. Backups 

B. Business continuity planning 
C. Insurance 

D. Security awareness 


Answer: D 


Explanation: 

Security awareness is a preventive measure, not a compensating measure for access violations. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 50). 


NEW QUESTION 137 
- (Topic 1) 
Examples of types of physical access controls include all EXCEPT which of the following? 


A. badges 

B. locks 

C. guards 

D. passwords 


Answer: D 
Explanation: 
Passwords are considered a Preventive/Technical (logical) control. The following answers are incorrect: 


badges Badges are a physical control used to identify an individual. A badge can include a smart device which can be used for authentication and thus a Technical 
control, but the actual badge itself is primarily a physical control. 
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locks Locks are a Preventative Physical control and has no Technical association. guards Guards are a Preventative Physical control and has no Technical 
association. 

The following reference(s) were/was used to create this question: 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 35). 


NEW QUESTION 140 
- (Topic 1) 
The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated up to? 


A. llliminated at nine feet high with at least three foot-candles 
B. Illiminated at eight feet high with at least three foot-candles 
C. llliminated at eight feet high with at least two foot-candles 
D. Illuminated at nine feet high with at least two foot-candles 


Answer: B 


Explanation: 

The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet 
high with at least two foot-candles. 

It can also be referred to as illuminating to a height of eight feet, with a BRIGHTNESS of two foot-candles. 

One footcandle 10.764 lux. The footcandle (or lumen per square foot) is a non-Sl unit of illuminance. Like the BTU, it is obsolete but it is still in fairly common use 
in the United States, particularly in construction-related engineering and in building codes. Because lux and footcandles are different units of the same quantity, it 
is perfectly valid to convert footcandles to lux and vice versa. 

The name "footcandle" conveys "the illuminance cast on a surface by a one-candela source one foot away." As natural as this sounds, this style of name is now 
frowned upon, because the dimensional formula for the unit is not foot * candela, but lumens per square foot. 

Some sources do however note that the "lux" can be thought of as a "metre-candle" (i.e. the illuminance cast on a surface by a one-candela source one meter 
away). A source that is farther away casts less illumination than one that is close, so one lux is less illuminance than one footcandle. Since illuminance follows the 
inverse-square law, and since one foot = 0.3048 m, one lux = 0.30482 footcandle 1/10.764 footcandle. 

TIPS FROM CLEMENT: 

IIluminance (light level) ?C The amount of light, measured in foot-candles (US unit), that falls n a surface, either horizontal or vertical. 

Parking lots lighting needs to be an average of 2 foot candles; uniformity of not more than 3:1, no area less than 1 fc. 

All illuminance measurements are to be made on the horizontal plane with a certified light meter calibrated to NIST standards using traceable light sources. 

The CISSP Exam Cram 2 from Michael Gregg says: Lighting is a commonly used form of perimeter protection. 

Some studies have found that up to 80% of criminal acts at businesses and shopping centers happen in adjacent parking lots. Therefore, it's easy to see why 
lighting can be such an important concern. 

Outside lighting discourages prowlers and thieves. 

The National Institute of Standards and Technologies (NIST) states that, for effective perimeter control, buildings should be illuminated 8 feet high, with 2-foot 
candle power. 

Reference used for this question: 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 325. 

and 

Shon's AIO v5 pg 459 and 

http://en.wikipedia.org/wiki/Foot-candle 


NEW QUESTION 145 
- (Topic 1) 
What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects? 


A. Flow Model 

B. Discretionary access control 

C. Mandatory access control 

D. Non-discretionary access control 


Answer: D 


Explanation: 

As a security administrator you might configure user profiles so that users cannot change the system??s time, alter system configuration files, access a command 
prompt, or install unapproved applications. This type of access control is referred to as nondiscretionary, meaning that access decisions are not made at the 
discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the 
organization??s most critical assets. 

Non-discretionary access control is when a central authority determines what subjects can have access to what objects based on the organizational security policy. 
Centralized access control is not an existing security model. 

Both, Rule Based Access Control (RUBAC or RBAC) and Role Based Access Controls (RBAC) falls into this category. 

Reference(s) used for this question: 

Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw- Hill. Kindle Edition. 

and 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access 
control systems (page 33). 


NEW QUESTION 147 

- (Topic 1) 

What does it mean to say that sensitivity labels are "incomparable"? 
A. The number of classification in the two labels is different. 

B. Neither label contains all the classifications of the other. 

C. the number of categories in the two labels are different. 

D. Neither label contains all the categories of the other. 


Answer: D 
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Explanation: 

If a category does not exist then you cannot compare it. Incomparable is when you have two disjointed sensitivity labels, that is a category in one of the labels is 
not in the other label. "Because neither label contains all the categories of the other, the labels can't be compared. They're said to be incomparable" 
COMPARABILITY: 

The label: 

TOP SECRET [VENUS ALPHA] 

is "higher" than either of the labels: 

SECRET [VENUS ALPHA] TOP SECRET [VENUS] 

But you can't really say that the label: 

TOP SECRET [VENUS] 

is higher than the label: 

SECRET [ALPHA] 

Because neither label contains all the categories of the other, the labels can't be compared. They're said to be incomparable. In a mandatory access control 
system, you won't be allowed access to a file whose label is incomparable to your clearance. 

The Multilevel Security policy uses an ordering relationship between labels known as the dominance relationship. Intuitively, we think of a label that dominates 
another as being "higher" than the other. Similarly, we think of a label that is dominated by another as being "lower" than the other. The dominance relationship is 
used to determine permitted operations and information flows. 

DOMINANCE 
The dominance relationship is determined by the ordering of the Sensitivity/Clearance component of the label and the intersection of the set of Compartments. 
Sample Sensitivity/Clearance ordering are: 

Top Secret > Secret > Confidential > Unclassified s3 > s2 > s1 > s0 

Formally, for label one to dominate label 2 both of the following must be true: The sensitivity/clearance of label one must be greater than or equal to the 

sensitivity/clearance of label two. 

The intersection of the compartments of label one and label two must equal the compartments of label two. 

Additionally: 

Two labels are said to be equal if their sensitivity/clearance and set of compartments are exactly equal. Note that dominance includes equality. 
One label is said to strictly dominate the other if it dominates the other but is not equal to the other. 

Two labels are said to be incomparable if each label has at least one compartment that is not included in the other's set of compartments. 

The dominance relationship will produce a partial ordering over all possible MLS labels, resulting in what is known as the MLS Security Lattice. 
The following answers are incorrect: 

The number of classification in the two labels is different. Is incorrect because the categories are what is being compared, not the classifications. 
Neither label contains all the classifications of the other. Is incorrect because the categories are what is being compared, not the classifications. 
the number of categories in the two labels is different. Is incorrect because it is possibe a category exists more than once in one sensitivity label and does exist in 
the other so they would be comparable. 

Reference(s) used for this question: 

OReilly - Computer Systems and Access Control (Chapter 3) http://www.oreilly.com/catalog/csb/chapter/ch03.htm! 
and http://rubix.com/cms/mls_dom 


NEW QUESTION 150 
- (Topic 1) 
Sensitivity labels are an example of what application control type? 


A. Preventive security controls 

B. Detective security controls 

C. Compensating administrative controls 
D. Preventive accuracy controls 


Answer: A 


Explanation: 

Sensitivity labels are a preventive security application controls, such as are firewalls, reference monitors, traffic padding, encryption, data classification, one-time 
passwords, contingency planning, separation of development, application and test environments. 

The incorrect answers are: 

Detective security controls - Intrusion detection systems (IDS), monitoring activities, and audit trails. 

Compensating administrative controls - There no such application control. Preventive accuracy controls - data checks, forms, custom screens, validity checks, 
contingency planning, and backups. Sources: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: 
Applications and Systems Development (page 264). 

KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Application Controls, Figure 7.1 (page 360). 


NEW QUESTION 155 
- (Topic 1) 
Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall room security monitoring? 


A. Wave pattern motion detectors 
B. Capacitance detectors 

C. Field-powered devices 

D. Audio detectors 


Answer: B 


Explanation: 

Capacitance detectors monitor an electrical field surrounding the object being monitored. They are used for spot protection within a few inches of the object, rather 
than for overall room security monitoring used by wave detectors. Penetration of this field changes the electrical capacitance of the field enough to generate and 
alarm. Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver. Field- 
powered devices are a type of personnel access control devices. Audio detectors simply monitor a room for any abnormal sound wave generation and trigger an 
alarm. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: 
Physical security (page 344). 
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NEW QUESTION 160 
- (Topic 1) 
Which of the following biometric devices offers the LOWEST CER? 


A. Keystroke dynamics 
B. Voice verification 

C. Iris scan 

D. Fingerprint 


Answer: C 


Explanation: 

From most effective (lowest CER) to least effective (highest CER) are: Iris scan, fingerprint, voice verification, keystroke dynamics. 
Reference : Shon Harris Aio v3 , Chapter-4 : Access Control , Page : 131 

Also see: http://www.sans.org/reading_room/whitepapers/authentication/biometric-selection-body-parts-online_139 


NEW QUESTION 161 
- (Topic 1) 
Which of the following division is defined in the TCSEC (Orange Book) as minimal protection? 


A. Division D 
B. Division C 
C. Division B 
D. Division A 


Answer: A 


Explanation: 

The criteria are divided into four divisions: D, C, B, and A ordered in a hierarchical manner with the highest division (A) being reserved for systems providing the 
most comprehensive security. 

Each division represents a major improvement in the overall confidence one can place in the system for the protection of sensitive information. 

Within divisions C and B there are a number of subdivisions known as classes. The classes are also ordered in a hierarchical manner with systems representative 
of division C and lower classes of division B being characterized by the set of computer security mechanisms that they possess. 

Assurance of correct and complete design and implementation for these systems is gained mostly through testing of the security- relevant portions of the system. 
The security-relevant portions of a system are referred to throughout this document as the Trusted Computing Base (TCB). 

Systems representative of higher classes in division B and division A derive their security attributes more from their design and implementation structure. 
Increased assurance that the required features are operative, correct, and tamperproof under all circumstances is gained through progressively more rigorous 
analysis during the design process. 

TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels: 

Division D - minimal security Division C - discretionary protection Division B - mandatory protection Division A - verified protection 

Reference: page 358 AIO V.5 Shon Harris 

also 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page 197. 

Also: 

THE source for all TCSEC "level" questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001 .txt 


NEW QUESTION 164 

- (Topic 1) 

The throughput rate is the rate at which individuals, once enrolled, can be processed and 
identified or authenticated by a biometric system. Acceptable throughput rates are in the range of: 


A. 100 subjects per minute. 
B. 25 subjects per minute. 
C. 10 subjects per minute. 
D. 50 subjects per minute. 


Answer: C 


Explanation: 

The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. 

Acceptable throughput rates are in the range of 10 subjects per minute. 

Things that may impact the throughput rate for some types of biometric systems may include: 

A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. 

Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38. 


NEW QUESTION 166 
- (Topic 1) 
Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished: 


A. through access control mechanisms that require identification and authentication and through the audit function. 

B. through logical or technical controls involving the restriction of access to systems and the protection of information. 

C. through logical or technical controls but not involving the restriction of access to systems and the protection of information. 

D. through access control mechanisms that do not require identification and authentication and do not operate through the audit function. 


Answer: A 
Explanation: 


Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms 
that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization's 
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security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. 
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33. 


NEW QUESTION 169 
- (Topic 1) 
What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions? 


owp 
mmo» 


Answer: B 


Explanation: 

D or "minimal protection" is reserved for systems that were evaluated under the TCSEC but did not meet the requirements for a higher trust level. 

A is incorrect. A or "Verified Protectection" is the highest trust level under the TCSEC. E is incorrect. The trust levels are A - D so "E" is not a valid trust level. 
F is incorrect. The trust levels are A - D so "F" is not a valid trust level. 

CBK, pp. 329 - 330 

AIO3, pp. 302 - 306 


NEW QUESTION 173 
- (Topic 1) 
Which of the following models does NOT include data integrity or conflict of interest? 


A. Biba 

B. Clark-Wilson 

C. Bell-LaPadula 
D. Brewer-Nash 


Answer: C 


Explanation: 

Bell LaPadula model (Bell 1975): The granularity of objects and subjects is not predefined, but the model prescribes simple access rights. Based on simple access 
restrictions the Bell LaPadula model enforces a discretionary access control policy enhanced with mandatory rules. Applications with rigid confidentiality 
requirements and without strong integrity requirements may properly be modeled. 

These simple rights combined with the mandatory rules of the policy considerably restrict the spectrum of applications which can be appropriately modeled. 
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

Also check: 

Proceedings of the IFIP TC11 12th International Conference on Information Security, Samos (Greece), May 1996, On Security Models. 


NEW QUESTION 174 
- (Topic 1) 
Like the Kerberos protocol, SESAME is also subject to which of the following? 


A. timeslot replay 

B. password guessing 

C. symmetric key guessing 
D. asymmetric key guessing 


Answer: B 


Explanation: 

Sesame is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based 
authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some 
security extensions like public key based authentication and an ECMA-style Privilege Attribute Service. 

The users under SESAME can authenticate using either symmetric encryption as in Kerberos or Public Key authentication. When using Symmetric Key 
authentication as in Kerberos, SESAME is also vulnerable to password guessing just like Kerberos would be. 

The Symmetric key being used is based on the password used by the user when he logged on the system. If the user has a simple password it could be guessed 
or compromise. Even thou Kerberos or SESAME may be use, there is still a need to have strong password discipline. 

The Basic Mechanism in Sesame for strong authentication is as follow: 

The user sends a request for authentication to the Authentication Server as in Kerberos, except that SESAME is making use of public key cryptography for 
authentication where the client will present his digital certificate and the request will be signed using a digital signature. The signature is communicated to the 
authentication server through the preauthentication fields. Upon receipt of this request, the authentication server will verifies the certificate, then validate the 
signature, and if all is fine the AS will issue a ticket granting ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage attribute server 
(PAS) when access to a resource is needed. 

Users may authenticate using either a public key pair or a conventional (symmetric) key. If public key cryptography is used, public key data is transported in 
preauthentication data fields to help establish identity. 

Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged Attribute Certificates (PAC), which contain the subject??s identity, 
access Capabilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate that it came from the 
trusted authentication server, which is referred to as the privilege attribute server (PAS). The PAS holds a similar role as the KDC within Kerberos. After a user 
successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC for the user to present 
to the resource he is trying to access. 

Reference(s) used for this question: http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME txt 

and 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 43. 


NEW QUESTION 176 
- (Topic 1) 
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The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? 


A. clipping level 
B. acceptance level 
C. forgiveness level 
D. logging level 


Answer: A 


Explanation: 

The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. 
That action may be to log the activity, lock a user account, temporarily close a port, etc. 

Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user's account after three failed login 
attemts, that is the "clipping level”. 

The other answers are not correct because: 

Acceptance level, forgiveness level, and logging level are nonsensical terms that do not exist (to my knowledge) within network security. 

Reference: 

Official ISC2 Guide - The term "clipping level" is not in the glossary or index of that book. | cannot find it in the text either. However, I'm quite certain that it would 
be considered part of the CBK, despite its exclusion from the Official Guide. 

Allin One Third Edition page: 136 - 137 


NEW QUESTION 180 
- (Topic 1) 
Which of the following is most appropriate to notify an internal user that session monitoring is being conducted? 


A. Logon Banners 

B. Wall poster 

C. Employee Handbook 
D. Written agreement 


Answer: D 


Explanation: 

This is a tricky question, the keyword in the question is Internal users. 

There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous/external users. 
Internal users should always have a written agreement first, then logon banners serve as a constant reminder. 

Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and 
also makes it obvious the user was warned about who should access the system, who is authorized and unauthorized, and if it is an unauthorized user then he is 
fully aware of trespassing. Anonymous/External users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the 
use of a logon banner. 

References used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50. 

and 

Shon Harris, CISSP All-in-one, 5th edition, pg 873 


NEW QUESTION 182 
- (Topic 1) 
Which of the following is most appropriate to notify an external user that session monitoring is being conducted? 


A. Logon Banners 

B. Wall poster 

C. Employee Handbook 
D. Written agreement 


Answer: A 


Explanation: 

Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and 
also makes it obvious the user was warned about who should access the system and if it is an unauthorized user then he is fully aware of trespassing. 
This is a tricky question, the keyword in the question is External user. 

There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous user. 

Internal users should always have a written agreement first, then logon banners serve as a constant reminder. 

Anonymous users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner. 

References used for this question: 

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50. 
and 
Shon Harris, CISSP All-in-one, 5th edition, pg 873 


NEW QUESTION 183 
- (Topic 1) 
What does the simple security (ss) property mean in the Bell-LaPadula model? 


A. No read up 

B. No write down 
C. No read down 
D. No write up 
Answer: A 


Explanation: 
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The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an 
object at a higher sensitivity level is not permitted (no read up). 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: 
Security Architectures and Models (page 202). 


NEW QUESTION 188 
- (Topic 1) 
Which one of the following factors is NOT one on which Authentication is based? 


A. Type 1. Something you know, such as a PIN or password 

B. Type 2. Something you have, such as an ATM card or smart card 

C. Type 3. Something you are (based upon one or more intrinsic physical or behavioral traits), such as a fingerprint or retina scan 
D. Type 4. Something you are, such as a system administrator or security administrator 


Answer: D 


Explanation: 

Authentication is based on the following three factor types: 

Type 1. Something you know, such as a PIN or password 

Type 2. Something you have, such as an ATM card or smart card 

Type 3. Something you are (Unique physical characteristic), such as a fingerprint or retina scan 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. 
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 132-133). 


NEW QUESTION 192 
- (Topic 1) 
The "vulnerability of a facility" to damage or attack may be assessed by all of the following except: 


A. Inspection 

B. History of losses 
C. Security controls 
D. security budget 


Answer: D 


Explanation: 
Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni. 


NEW QUESTION 197 
- (Topic 1) 
Which of the following statements pertaining to using Kerberos without any extension is false? 


A. A client can be impersonated by password-guessing. 
B. Kerberos is mostly a third-party authentication protocol. 
C. Kerberos uses public key cryptography. 

D. Kerberos provides robust authentication. 


Answer: C 


Explanation: 

Kerberos is a trusted, credential-based, third-party authentication protocol that uses symmetric (secret) key cryptography to provide robust authentication to clients 
accessing services on a network. 

Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. 
Here is a nice overview of HOW Kerberos is implement as described in RFC 4556: 

1. Introduction 

The Kerberos V5 protocol [RFC4120] involves use of a trusted third party known as the Key Distribution Center (KDC) to negotiate shared session keys between 
clients and services and provide mutual authentication between them. 

The corner-stones of Kerberos V5 are the Ticket and the Authenticator. A Ticket encapsulates a symmetric key (the ticket session key) in an envelope (a public 
message) intended for a specific service. The contents of the Ticket are encrypted with a symmetric key shared between the service principal and the issuing 
KDC. The encrypted part of the Ticket contains the client principal name, among other items. An Authenticator is a record that can be shown to have been recently 
generated using the ticket session key in the associated Ticket. The ticket session key is known by the client who requested the ticket. The contents of the 
Authenticator are encrypted with the associated ticket session key. The encrypted part of an Authenticator contains a timestamp and the client principal name, 
among other items. 

As shown in Figure 1, below, the Kerberos V5 protocol consists of the following message exchanges between the client and the KDC, and the client and the 
application service: 

The Authentication Service (AS) Exchange 

The client obtains an "initial" ticket from the Kerberos authentication server (AS), typically a Ticket Granting Ticket 

(TGT). The AS-REQ message and the AS-REP message are the request and the reply message, respectively, between the client and the 

AS. 

The Ticket Granting Service (TGS) Exchange 

The client subsequently uses the TGT to authenticate and request a service ticket for a particular service, from the Kerberos 

ticket-granting server (TGS). The TGS-REQ message and the TGS-REP message are the request and the reply message respectively between the client and the 
TGS. 

The Client/Server Authentication Protocol (AP) Exchange 

The client then makes a request with an AP-REQ message, consisting of a service ticket and an authenticator that certifies the 

client's possession of the ticket session key. The server may optionally reply with an AP-REP message. AP exchanges typically negotiate session-specific 
symmetric keys. 

Usually, the AS and TGS are integrated in a single device also known as the KDC. 
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IIN] 
/ |AS-REP / | 
| |/ TGS-REQ + TGS-REP 


| Client +------------ >| Application | 
| | AP-REQ | Server | 


Figure 1: The Message Exchanges in the Kerberos V5 Protocol 

In the AS exchange, the KDC reply contains the ticket session key, among other items, that is encrypted using a key (the AS reply key) shared between the client 
and the KDC. The AS reply key is typically derived from the client's password for human users. Therefore, for human users, the attack resistance strength of the 
Kerberos protocol is no stronger than the strength of their passwords. 

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: 
Access control systems (page 40). 

And 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 147-151). 

and http://www.ietf.org/rfc/ric4556 .txt 


NEW QUESTION 200 
- (Topic 1) 
Which of the following best ensures accountability of users for the actions taken within a system or domain? 


A. Identification 
B. Authentication 
C. Authorization 
D. Credentials 


Answer: B 


Explanation: 

Details: 

The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim 
to be. After showing proper credentials, a user is authorized access to resources. 

References: 

HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 126). 


NEW QUESTION 203 
- (Topic 1) 
What kind of certificate is used to validate a user identity? 


A. Public key certificate 

B. Attribute certificate 

C. Root certificate 

D. Code signing certificate 


Answer: A 


Explanation: 

In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an 
identity ?? information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs 
to an individual. 

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a 
self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity 
information and the public key belong together. 

In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to 
use a service or a resource that the issuer controls or has access to use. The permission can be delegated. 

Some people constantly confuse PKCs and ACs. An analogy may make the distinction clear. A PKC can be considered to be like a passport: it identifies the 
holder, tends to last for a long time, and should not be trivial to obtain. An AC is more like an entry visa: it is typically issued by a different authority and does not 
last for as long a time. As acquiring an entry visa typically requires presenting a passport, getting a visa can be a simpler process. 

A real life example of this can be found in the mobile software deployments by large service providers and are typically applied to platforms such as Microsoft 
Smartphone (and related), Symbian OS, J2ME, and others. 

In each of these systems a mobile communications service provider may customize the mobile terminal client distribution (ie. the mobile phone operating system or 
application environment) to include one or more root certificates each associated with a set of capabilities or permissions such as "update firmware", "access 
address book", "use radio interface”, and the most basic one, "install and execute”. When a developer wishes to enable distribution and execution in one of these 
controlled environments they must acquire a certificate from an appropriate CA, typically a large commercial CA, and in the process they usually have their identity 
verified using out-of-band mechanisms such as a combination of phone call, validation of their legal entity through government and commercial databases, etc., 
similar to the high assurance SSL certificate vetting process, though often there are additional specific requirements imposed on would-be developers/publishers. 
Once the identity has been validated they are issued an identity certificate they can use to sign their software; generally the software signed by the developer or 
publisher's identity certificate is not distributed but rather it is submitted to processor to possibly test or profile the content before generating an authorization 
certificate which is unique to the particular software release. That certificate is then used with an ephemeral asymmetric key-pair to sign the software as the last 
step of preparation for distribution. There are many advantages to separating the identity and authorization certificates especially relating to risk mitigation of new 
content being accepted into the system and key management as well as recovery from errant software which can be used as attack vectors. 
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References: 
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 540. 
http://en.wikipedia.org/wiki/Attribute_certificate http://en.wikipedia.org/wiki/Public_key_certificate 
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